fix: correctly resolve client IP behind proxies (#5323)

2025-08-18 18:22:17 +02:00 · 2025-08-18 18:22:17 +02:00 · f430caa1c0
commit f430caa1c0
parent c04faaaf27
2 changed files with 12 additions and 2 deletions
--- a/.env.example
+++ b/.env.example
@ -14,6 +14,8 @@ DATA_ENCRYPTION_KEY="data encryption key with 32 char"
 #   bundle names like `app://{bundle-name}/`
 WHITELISTED_ORIGINS="http://localhost:3170,http://localhost:3000,http://localhost:3100,app://localhost_3200,app://hoppscotch"

+# If true, the client’s IP address is understood as the left-most entry in the X-Forwarded-For header
+TRUST_PROXY=false

 #-----------------------Frontend Config------------------------------#

--- a/packages/hoppscotch-backend/src/main.ts
+++ b/packages/hoppscotch-backend/src/main.ts
@ -10,6 +10,7 @@ import * as morgan from 'morgan';
 import { ConfigService } from '@nestjs/config';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import { InfraTokenModule } from './infra-token/infra-token.module';
+import { NestExpressApplication } from '@nestjs/platform-express';

 function setupSwagger(app, isProduction: boolean) {
  const swaggerDocPath = '/api-docs';
@ -38,7 +39,7 @@ function setupSwagger(app, isProduction: boolean) {
 }

 async function bootstrap() {
-  const app = await NestFactory.create(AppModule);
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);

  const configService = app.get(ConfigService);
  const isProduction = configService.get('PRODUCTION') === 'true';
@ -84,7 +85,14 @@ async function bootstrap() {
      transform: true,
    }),
  );
-  app.use(morgan(':method :url :status - :response-time ms'));
+
+  if (configService.get('TRUST_PROXY') === 'true') {
+    console.log('Enabling trust proxy');
+
+    app.set('trust proxy', true);
+  }
+
+  app.use(morgan(':remote-addr :method :url :status - :response-time ms'));

  await setupSwagger(app, isProduction);